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Abstract 



Esterel is a synchronous concurrent programming language dedicated to reactive systems 
(controllers, protocols, man-machine interfaces, etc.). Esterel has an efficient standard 
software implementation based on well-defined mathematical semantics. We present a new 
hardware implementation of the pure synchronization subset of the language. Each program 
generates a specific circuit that responds to any input in one clock cycle. When the source 
program satisfies some statically checkable dynamic properties, the circuit is shown to be 
semantically equivalent to the source program. The hardware translation has been effectively 
implemented on the programmable active memory Perle developed by J. Vuillemin and his 
group at Digital Equipment Paris Research Laboratory. 



Resume 



Esterel est un langage de programmation synchrone congu pour la programmation des 
systemes reactifs: controleurs, protocoles, interfaces homme-machine, etc. Esterel possede 
une implementation logicielle complete fondee sur sa semantique mathematique. Cet article 
presente une nouvelle implementation materieile du sous-ensemble d'Esterel restreint a la 
synchronisation pure. Chaque programme est traduit structurellement en un circuit specifique 
qui repond a toute entree en un cycle d'horloge. La traduction est demontree correcte 
sous reserve que le programme satisfasse une condition testable statiquement. La traduction 
materieile d'Esterel a ete effectivement implementee, et des experimentations ont ete conduites 
sur la memoire active programmable Perle developpee au Laboratoire de Recherche de Digital 
Equipment a Paris (PRL) par Jean Vuillemin et son equipe. 
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1 Introduction 

Esterel [3, 4, 5, 10] is a synchronous programming language devoted to reactive systems, 
that is to systems that maintain a continuous interaction with their environment by handling 
hardware or software events. Its software implementation is currently used in industry and 
education to program software objects such as real-time controllers, communication protocols 
[6, 23], man-machine interfaces [14], systems drivers, etc. In this paper, we present a hardware 
implementation of the pure synchronization subset of the language that builds a specific 
circuit for each program. We prove the correctness of this implementation with respect to the 
mathematical semantics of the language under some conditions to be satisfied by the source 
program. We describe the experiments made so far and the possible uses of the hardware 
implementation. 

The Perfect Synchrony Hypothesis 

Esterel is an imperative concurrent language with very high-level control and event 
manipulation constructs. It is based on a perfect synchrony hypothesis [2], which states that 
control transmission, communication, and elementary computation actions take no time, or, 
in other words, that the program is conceptually executed on an infinitely fast machine. The 
control structures include sequencing, testing, looping, concurrency, and a powerful exception 
mechanism which is fully compatible with concurrency, unlike in asynchronous concurrent 
programming languages [1]. The primitive communication device between concurrent 
statements is instantaneous broadcasting of signals. 

The perfect synchrony hypothesis is shared by the synchronous data-flow languages Lustre 
[12, 20] and Signal [17, 19]. It makes programming very modular and flexible, and it makes 
it possible to reconcile input-output determinism and concurrency. This is a great benefit 
over classical asynchronous languages such as Occam or Ada that are inherently non- 
deterministic, a characteristic that makes reactive programming and debugging needlessly 
difficult, as explained in [1]. 

Esterel is rigorously defined by well-analyzed mathematical semantics, given in both 
denotational and operational styles [5, 18]. 

Esterel in Software 

The standard Esterel compiler is directly based on one of the mathematical semantics. 
It uses sophisticated algorithms to translate a concurrent reactive program into an equiva- 
lent efficient sequential automaton that can be implemented in any conventional language. 
Concurrency is compiled away during this process. The resulting automaton can be directly 
run by actual applications. In addition to the compiler, the Esterel environment includes 
sophisticated tools such as symbolic or graphical simulators and interfaces to automata-based 
program verification systems such as Auto [9]. 
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Esterel in Hardware 

Since many CAD systems directly support automata-like specifications, Esterel programs 
can be implemented in hardware by first translating them into automata using the standard 
compiler. However, this indirect translation looses most of the source concurrent structure. 
This is usually a good idea in software, where run-time concurrency is in fact expensive, 
but not in hardware, where concurrency is free and should be used as much as possible. 
Furthermore, there is no simple relation between the source program size and the size of the 
generated automaton. In the worst case, the automaton size can be exponential in the source 
program size, and square factors are not rare. Again, this is much more acceptable in software 
than in hardware. 

The direct hardware implementation we present here is conceptually much better; it is based 
on on Gonthier's semantic analysis of Esterel [18]. It transforms each program into a digital 
circuit that exactly reflects the source concurrency and communication structure. The circuit 
computes the response to any input within exactly one clock cycle, however complex the 
program is. The translation is purely structural (compositional) and linear in size. However, it 
is at present limited to the pure synchronization subset of the language, which we call Pure 
Esterel, and it works only under some restrictive conditions to be satisfied by the source 
program. 

The translation is completely formalized and proved correct with respect to the mathematical 
semantics under the above restrictive conditions. Correctness relies on the fact that perfect 
synchrony does not depart very much from digital circuit synchrony: zero-time is simply 
replaced by one cycle. 

Actual Implementation and Applications 

The translation from programs to circuits has been implemented within the existing Esterel 
compiler. We have run very successful experiments using the XiLiNX™-based PerleO 
programmable coprocessor developed at DEC Paris Research Laboratory by J. Vuillemin et. 
al. [8,25]. 

We are currently investigating two kinds of applications: 

• Implementing existing Esterel programs in hardware to match high performance 
constraints. For example, we have directly implemented the kernel of a fast local area 
network protocol that was developed in Esterel at INRIA [22]. 

• Programming hardware controllers in Esterel. The language turns out to be well- 
adapted to programming the control part of a circuit, which is known to be difficult and 
error-prone with usual techniques. We show a toy example in Appendix A. 

The fact that the language can be implemented either in software or in hardware is useful 
in two respects: one can use the software programming environment to develop, debug, and 
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verify the programs; one can experiment various trade-offs between hardware and software 
without changing the source code. 

Esterel and Lustre 

The Lustre synchronous language has also been implemented on hardware at DEC PRL, 
and the implementations of Esterel and Lustre are fully compatible 1 . It has to be noted 
that both languages differ from most existing hardware description languages by the fact that 
they deal only with behaviors and not with hardware objects, and also by the care with which 
they were mathematically defined and studied. To describe circuits, Lustre and Esterel are 
complementary: Lustre is well-adapted to data path description, Esterel is well adapted 
to control automata. 

Structure of the Paper 

Section 2 presents the pure Esterel language and its intuitive semantics. We give 
enough material for the paper to be self-contained, but not to fully understand the Esterel 
programming style, referring to [4, 5] and to the Esterel documentation for these aspects. 
The mathematical semantics of Pure Esterel is given in Section 3. Section 4 presents an 
essential part of the theory of Esterel, the coding of states by haltsets. This coding is the 
root of the hardware translation, whose principle is presented by examples in Section 5. The 
translation is then formalized in Section 6 and proved correct in Section 7. We discuss the 
actual implementation on PerleO in Section 8 and conclude. An appendix gives the example 
of a simple bus interface and briefly analyzes the adequacy of Esterel to program hardware 
controllers. 

2 Pure Esterel 

We first present signal and events which are the basic objects manipulated by Pure 
Esterel programs. We then present the kernel language on which the semantics is defined 
and the full language that includes kernel-definable user-friendly statements. 

2.1 Signals and Events 

Pure Esterel deals with signals S, Si, . . . and with events E, E\, . . . that are sets of 
simultaneous signals. A signal that belongs to an event is said to be present in that event, 
otherwise it is said to be absent. 

The execution of a program associates a sequence of output events with any sequence of 
input events. The program repeatedly receives an input event E{ from its environment and 
reacts by building an output event E[. That E{ and E[ are synchronous is expressed by the 

'A byproduct of our work is a translator from pure Esterel into Lustre. 
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fact that any external observer observes a single event E{ U E[. This is in particular true of 
any other program placed in parallel. 

The production of an output event from an input event is called a reaction. The flow of time 
being entirely defined by the sequence of reactions, we also call a reaction an instant. This 
gives sense to temporal expressions such as "instantaneously" or "immediately", which mean 
"at the same instant", or "from then on", which means "after the current instant included", or 
"in the strict future", which means "after the current instant excluded". 

We assume that each input event contains a special signal tick, which is therefore present 
at all instants. This addition to the original language defined in [5] is now supported by the 
Esterel implementation. The tick signal is analogous to the constant 1 in circuits or the 
constant true in Lustre. When programming digital circuits, it will naturally denote clock 
ticks. 

2.2 Modules 

The basic Pure Esterel programming unit is the module. A module has an interface, 
which specifies its input signals 1,11,... and its output signals 0,01,..., and a body, which 
is a statement that specifies its behavior 2 . The body can use any number of local signals for 
internal broadcast communication. To achieve modular programming, a module can instantiate 
other modules as described later on. Here is a sample module definition: 

module M: 
input II, 12 ; 
output 01; 
statement . 



2.3 Kernel Statements 

The primitive or kernel Pure Esterel statements are: 

nothing 
halt 
emit S 
stat i ; stat2 
loop stat end 

present S then stat\ else stat2 end 
do stat watching S 
stat\ | | stat2 
trap T in stat end 
exit T 

signal S in stat end 
2 There are also input-output signals, ignored here for simplicity. 
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One can use brackets ' [' and '] ' to group statements; by default, '; ' binds tighter than 
'II'- Both then and else parts are optional in a present statement. If omitted, they are 
supposed to be nothing. 

The statements are imperative and manipulate controls and signals. Most of them are 
classical in appearance. The trap-exit mechanism is a exception mechanism fully 
compatible with parallelism. Traps are lexically scoped. 

The local signal declaration "signal S in stat end" declares a lexically scoped signal S 
that can be used for internal broadcast communication within stat. 

2.4 The Intuitive Semantics 

The intuitive semantics deals with control transmission between statements and with signal 
broadcasting. A statement can start at some instant and remain active until it releases the 
control at some further instant, either by terminating or by exiting a trap. After termination or 
exit, a statement becomes inactive. A statement that terminates or exits at the same instant it 
starts is said to be instantaneous. When an active statement does not terminate and exits no 
trap at an instant, it is said to halt at that instant. 

The intuitive semantics is defined by structural induction on statements: 

• nothing terminates instantaneously. 

• halt never terminates nor exits. It always halts. 

• An "emit S" statement broadcasts the signal S and terminates instantaneously. 

• When started, a sequence "stat\ ; stat-i' immediately starts stat\ and behaves as it. If 
and when stat\ terminates, stat2 starts immediately and determines the behavior of the 
sequence from then on. If and when stat\ exits a trap T, so does the whole sequence, 
stat 2 being never started in this case. Notice that stat 2 is also never started if stat\ 
always halts. Notice also that "emit SI; emit S2" emits SI and S2 simultaneously 
and terminates instantly. 

• A loop acts as an infinite sequence. When started, "loop stat end" immediately 
starts its body stat. When the body terminates, it is immediately restarted. If the body 
exits a trap, so does the whole loop. The body of a loop is not allowed to terminate 
instantaneously when started. 

• Whena"present Sthenstafi el sestat2 end" statement starts, it starts immediately 
stat\ if S is present in the current instant and stat2 if S is absent. Thepresent statement 
then behaves as the corresponding branch. 

• The "do stat watching S" watchdog statement starts immediately its body and behaves 
as it until the time guard S occurs. 
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- If stat terminates or exits a trap strictly before S occurs, then the watching 
statement instantaneously terminates or exits the same trap. 

- If, in the strict future of the starting instant, S occurs while stat is still active, then 
the watching statement terminates instantaneously and kills stat, which is not 
activated in the corresponding instant. 

Notice two boundary problems: the guard becomes active only at the next instant 
following the starting instant; the body is not activated when the time guard elapses. As 
we shall see below, all other possibilities can be derived by combining kernel statements, 
which would not be true with another choice for watching. 

• When started, a parallel statement "stat\ \ \ stati' immediately starts stat\ and stati in 
parallel. A parallel terminates instantly if and when both stat\ and stat2 are terminated; 
they can terminate at different instants, the parallel waiting for the last one to terminate. 
If, at some instant, one statement exits a trap T or both statements exit the same trap T, 
then the parallel exits T. If both statements exit distinct traps Tl and T2 at the same 
instant, then the parallel only exits the outermost of these traps, the other one being 
discarded. 

• The statement "trap T in stat end" defines a lexically scoped trap T within stat. 
When the trap statement starts, it starts immediately its body stat and behaves as it 
until termination or exit. If the body terminates, so does the trap statement. If the 
body exits T, then the trap statement terminates instantaneously. If the body exits an 
enclosing trap U, so does the trap statement (traps propagate). 

• An "exit T" statement instantaneously exits the trap T. 

• When started, the statement "signal S in stat end" starts immediately its body stat 
with a fresh signal S, overriding the one that may already exist. The statement behaves 
as its body from then on. 

A global coherence law relates signal emission and testing: 

A signal is present at an instant if and only if it is received as input by the 
environment or emitted by the program itself at that instant. 

Remarks: 

Notice that an emission is transient, and that there is an asymmetry between present and 
absent signals. There is an emit statement to set a signal present, but no statement to set it 
absent: by the coherence law, this is just the default. 

Notice also that a loop never terminates by itself; the only way to end it is to kill it by 
elapsing an enclosing time guard or by explicitly exiting an enclosing trap from within the 
loop or from a statement placed in parallel with the loop. 
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Finally, notice that exiting one branch of a parallel terminates instantaneously the corre- 
sponding trap and therefore kills the whole parallel. All parallel branches are activated at the 
exit instant. For example, in "emit S | | exit T", the left branch emits S and terminates, the 
right branch exits T, so that the parallel emits S and synchronizes both branches by deciding 
to exit T. Therefore, being killed by an exit is less severe than being killed by an enclosing 
watching time guard, which does not activate its body when elapsed. 

2.5 Examples 

The only statement that provokes halting is halt. To take a finite but non-zero amount 
of time, a statement must involve halt statements guarded by watching statements. The 
simplest example is "do halt watching S" which waits for S and terminates: by itself, 
the body halt would halt forever, but the enclosing "watching S" guard kills it when S 
occurs, and it makes the whole statement terminate. Hence the statement is guaranteed to "last 
exactly one S" from the time it is started (remembering that an S present when the statement 
starts is not taken into account). Anticipating on the definition of derived statements, we write 
it as "await S". 

In the above example, S can be any signal, a second as well as a centimeter, a clock tick, or 
generally any kind of interrupt. Therefore, each signal is seen as defining its own time unit. 
Nesting temporal statements bearing on different time units is the main characteristic of the 
Esterel style [5, 4]. Here is a program that emits repeatedly 0 every I until reception of a 
signal STOP 



do 
loop 

await I ; emit 0 
end 

watching STOP 



Here 0 is not emitted when STOP occurs, even if I is present, since the inner loop is preempted 
by the external watching statement at that instant. 

In most event manipulation languages, the basic primitive is await, that waits for an 
event to start a computation in sequence. On the contrary, in Esterel, the main primitive 
is watching, that waits for an event to stop or preempt a computation. It is a much more 
powerful primitive than await. In particular, it is easy to derive await from watching, 
while the converse is definitely not true. 

Remember the boundary problem we mentioned when describing the watching statement. 
To also emit 0 if I is present when STOP occurs, one uses a trap: 
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trap T in 

loop await I; emit 0 end 
I I 

await STOP; exit T 
end 

This works since when one branch of a parallel exits a trap that encloses the parallel, the other 
branch is activated in the corresponding instant before being killed. It can perform its "last 
wills". 

The other boundary problem concerns the starting instant. If one wants the guard to be 
active initially, one writes 

present S else do stat watching S end 

readily abbreviated into the derived statement 

do stat watching immediate S 

The following toy example illustrates the preemption mechanism involved in concurrent 
exits: 

trap Tl in 
trap T2 in 

emit SI; exit Tl 
I I 

exit T2; emit S2 
end; 
emit S3 
end 

The first parallel branch emits SI and exits Tl. The second parallel branch exits T2 but 
does not emit S2 since an exit statement does not terminate. The body of the parallel exits 
simultaneously Tl and T2; since only the outermost trap matters, T2 is discarded and Tl 
propagates. Hence S3 is not emitted, and the outermost trap terminates with only SI emitted 

2.6 Full Esterel 

The full language has many useful derived statements. We briefly describe the most 
important ones. The complete list of derived statements and their expansions into kernel 
statements are given in [5] 
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Temporal Statements 

A temporal statement is characterized by the fact that its expansion involves present, 
watching, or halt kernel statements. We have already seen the simple await statement 
and the immediate guard variant. Here are some other useful constructs: 

• Boolean expressions on signals can appear in tests or guards, as in "present SI andS2" 
or "do stat watching not S". 

• One can count occurrences of a signal (or boolean expression) within a time guard, as in 
"await 3 S". Occurrence counts are not discussed in this paper but are easy to handle. 

• One can add a timeout clause to be executed when a watching statement terminates 
by elapsing its time guard and not when the body terminates by itself: 

do stat\ watching S timeout stat2 end 

is just an abbreviation for: 

trap T in 

do stat\; exit T watching S; 

stat 2 
end 

• The statement "do stat upto S" is just "do stat; halt watching S". Even if the 
body terminates, the upto statement waits for its guard to elapse. 

• Deterministic event selection has the form: 

await 

case SI do stat\ 

case S2 do stat 2 
end 

The statement waits simultaneously for SI and S2. If one of them occurs alone, 
the control is instantaneously transferred to the corresponding statement. If both 
signals occur at the same time, the control is transferred to S 1 only. This guarantees 
determinism. 

• There are two temporal loops: 

loop stat each S 
every S do stat end 

The first loop starts stat at once, and kills and restarts it afresh whenever S occurs. The 
second loop is similar but initially waits for S to start stat. 

• The "sustain S" statement emits S continuously. It abbreviates 

loop emit S each tick 
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General Traps 

There is a general exception handling mechanism that extends basic traps: 

trap Tl, T2 in 
stat 

handle Tl do stat\ 
handle T2 do stati 
end 

When a trap is exited, the corresponding handler is started instantaneously. Here the traps T 1 
and T 2 are concurrent. If they are exited simultaneously, both handlers are run in parallel. 

Module Instantiation 

Modular programming is achieved by the run statement, which instantiates a module in 
place, possibly invoking signal renamings: 

run M [signal S/I] 

A run statement terminates if and when the copied module body does. 



3 The Behavioral Semantics 



Several mathematical semantics have been developed for Esterel, including a denotational 
semantics that precisely formalizes the intuitive temporal concepts presented in Section 2.3. 
Here we prefer to use the behavioral semantics [5] that defines execution reaction by reaction, 
using Plotkin's Structural Operational Semantics technique (SOS for short). It is equivalent to 
the denotational one, as shown in [18]. 



3.1 Form of the Rules 



The behavioral semantics defines transitions of the form M — > M 1 where M is a module, 

I 

I is an input event, O is the corresponding output event, and M' is a new module that will 
correctly respond to the next input events. In other words, M 1 is the new state of M after the 
reaction to I. The reaction Oi , O2, ■ ■ ■ , O n , ... to an input sequence I\ , I2, . . . , I n , ■ ■ ■ is then 
defined inductively by chaining elementary reactions: 

Oi o 2 o„ o„ +1 
M — > Mi — > M 2 . . . M n _! — > M n > . . . 

■^1 h In In+i 

0 E',k 

A behavioral transition M — > M' is computed using an auxiliary relation stat > stat' 

1 ~ E 
defined by structural induction on statements. Here E is the current event in which stat 
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evolves, E' is the event made of the signals emitted by stat, and k is an integer termination 
level that codes the way in which stat terminates or exits and is precisely defined below. 

The current event E is made of all the signals that are present at the given instant; because 
of the coherence law, E must contain the set E' of emitted signals, which in turns depends on 
E. Hence E and E' will be computed asfixpoints, the frxpoint equation being located in the 
local signal rule below. 

Let stat be the body of M and stat' be the body of M'. The relation between both transition 
systems is as follows: 

0 o,k 

M — > M' iff stat > stat' for some k 

1 Ju0u{tick} 

(under the minor restriction that no input signal is internally emitted by stat, see [5]). 
Termination Levels 

The termination level A; is 0 if stat terminates in the current instant, 1 if stat halts in the 
current instant, and k + 2 if stat exits a trap T that is k trap levels above it, i.e. is if the exit 
must be propagated through k - 1 traps before reaching its trap. To handle the exit level, it is 
useful to first decorate the exit statements with the corresponding level, as in the following 
example: 

trap T in 
exit T 2 
I I 

trap U in 
exit T 3 
I I 

exit U 2 
end 
end 

Here the first T exit and the U exit are labeled 2 since there is no intermediate trap statement 
to traverse, while the second T exit is labeled 3 since one must traverse the trap U statement 
to reach the t rap T statement. This way of handling termination is simpler than the one used 
in [5], but equivalent to it as shown in [18] (see also [16]). 

3.2 Inductive Rules 

The nothing statement terminates instantaneously. 

0,0 

nothing > nothing 

E 
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The halt statements halts and rewrites into itself. 



0, 1 

halt > halt 

E 



An emit statement emits its signal and terminates. 



{S},o 

emit S > nothing 



If the first statement of a sequence terminates, the second statement is started at once; the 
emitted signals are merged to form the resulting emitted event, according to perfect synchrony. 



E[,o E' 2 ,k 2 
stat\ > stat', stati > stat 1 ? 

E E 

E[uE' 2 ,k 2 
stat i ; stat2 > stat' 2 



If the first statement of a sequence does not terminate, that is if it halts or exits a trap, the 
sequence behaves just as the first statement and the second statement is kept unchanged for 
further reactions. 



E[,k, 

stat i > stat', k > 0 

E 

E[M 

stat i ; stat2 > stat', ; stati 

E 



A loop instantaneously unfolds itself once. Its body is not allowed to terminate instantaneously. 



E',k 

stat > stat' k > 0 

E 



E',k 

loop stat end > stat' ; loop stat end 

E 



A present statement instantaneously selects its then branch if the signal tested for is 
present in the current instant. Otherwise, it instantaneously selects its else branch. 
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S e E stat\ > stat\ 



E[,k, 

present S then stat\ else stat^ end > stat\ 

E 



E' 2 ,k 2 

S e' E stat2 > stat' 2 



E' 2 ,k 2 

present S then stat\ else stat^ end > stat' ? 

E 

A watching statement transfers the control to its body and rewrites itself into a present 
statement in order to set the time guard at next instant if the body has halted. 



E',k 

stat > stat' 

E 



E',k 

do stat watching S > present S else do stat' watching S 

E 

A parallel statements starts its branches instantaneously, merges the emitted signals, and 
returns the max of the termination codes. We leave it to the reader to see that this max 
operation exactly performs the required synchronization in all termination cases. 



E'^k, E' 2 ,k 2 

stat\ > stat 1 , stat? > stat' 0 

E E 

E[uE 2 ,max(k u k 2 ) 

stat\ | | stat2 > stat', | | stati, 

E 

A trap terminates if its body terminates or exits the trap, that is returns termination code 2. 
If the body halts, so does the trap. If the body exits an enclosing trap, then the exit is 
propagated by subtracting 1 to the exit level. 



E',k 

stat > stat 1 k = 0 or k = 2 



E',o 

trap T in stat end > nothing 

E 

E',k 

stat > stat 1 (k = 1 and k' = 1) or (k > 2 and k' = k - 1) 

E 

E',k' 

trap T in stat end > trap T in stat' end 

E 
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An exit statement returns its exit level. 



0,k 

exit T fe > halt 



Finally, the local signal declaration rules wind up the events E and E' according to the 
coherence law given in Section 2.3. Within the body, they impose that a local signal is present 
in E if and only if it is emitted in E'. A local signal is obviously not propagated outside its 
declaration. 



E'u{S},k 

stat > stat' S g E' 

Eu{S} 



E',k 

signal S in stat end > signal S in stat' end 

E 



E',k 

stat > stat 1 S ^ E' 

E-{S} 



E',k 

signal S in stat end > signal S in stat 1 end 

E 

Remarks 

The resulting statement stat' is unused and therefore immaterial for any rule returning k > 1 ; 
it is discarded by the exited trap. If a rule returns k = 0, then its resulting term is equivalent 

to nothing. 

Because of the intrinsic fixpoint character of the local signal rule, our inference system does 
not yield a straightforward algorithm to compute a transition. Given any input I one must 
guess the right current event E and use the rules to check that there is a correct transition. 
Other semantics yield finer analysis and efficient algorithms to compute the reaction; see in 
particular the computational semantics in [5]. 

3.3 Correct Programs 

Not all Esterel programs make sense. We say that a module M is locally correct if there 

o 

is only one provable transition M — > M for any input event /. We say that M is correct if it 

I 

is locally correct and if all modules obtained by all possible sequences of provable transitions 
are locally correct. 

Correctness of Esterel programs is a difficult issue. It is similar to correctness of 
digital circuits (absence of races), although much more complex because of the power of 
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the Esterel instantaneous loop construct. The Esterel compiler checks for reasonably 
general sufficient correctness conditions, see [5]. Here, we just show two examples of (locally) 
incorrect programs. 

The following program has no fixpoint, since S should not be emitted if present and emitted 
if not present. It is analogous to X = —iX in circuits. 

signal S in 

present S else emit S end 
end 

The next program has two frxpoints, one of Si or S2 being present in each. It is similar to 
X\ = —1X2, X2 = -1X1 in circuits. 

signal SI , S2 in 

present SI else emit S2 end 
I I 

present S2 else emit SI end 
end 



4 The Haltset Coding of States 

We now present an essential concept of the theory of Esterel, the unambiguous coding 
of any state by a set of control points in the original program. Technically, control points are 
represented by halt positions in the kernel expansion of the module body (notice that the 
expansion of any derived temporal statement generates at most one halt). Since Esterel 
is concurrent, a state is given by a set of control positions, which we call a haltset. The haltset 
coding is important in two respects. First, its existence shows the rationality of Esterel: 
only finitely many statements be generated by the rewritings of a given statement. Second, it 
is the direct basis of the hardware implementation, and it is also heavily used in the software 
implementation. 

The reader might skip this section at first reading and proceed directly with the informal 
presentation of the hardware translation in Section 5. However, an understanding of the 
material presented here will be necessary to see why the translation is done that way and why 
it indeed works. 

In the sequel, we consider a fixed correct module M of expanded body stat. For technical 
reasons, we assume that the body of M never terminates, adding a trailing halt if necessary. 
This condition does not change the observable behaviors; of course, adding a trailing halt is 
done after expansion and not in modules copied by M. 

Call a derivative of stat any statement stat' that can be reached from stat by some sequence 
o 

of reactions — > provable in the behavioral semantics. So far, the derivatives are defined by a 
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rewriting process and bear no obvious structural relation with the source term stat. We show 
that any derivative can be unambiguously coded by a haltset H of stat, that is by a set of 
occurrences of halt statements in the kernel statement stat. 

Consider for example the derivatives of "await SI; await S2; halt". There are three 
halt statements, the two first ones being respectively generated by the first and the second 
await. Number them 0, 1,2. The whole statement itself will be coded by the empty haltset 
0. The derivative that waits for SI is 

present SI else 

await SI 
end; 

await S2 ; 
halt 

Its haltset will be {0}, the index of the halt generated by the active "await SI" statement. 
The derivative that waits for S 2 is 

present S2 else 

await S2 
end; 
halt 

Its haltset will be {1} since the second await is active. The final derivative is halt, coded 
by {2}. Non-singleton haltsets will be constructed by the parallel operator, which will return 
the union of the haltsets of its branches. 

4.1 Haltsets 

We number all occurrences of halt in stat by distinct integers from 0 to n, n > 0. Then a 
haltset IT is a subset of [0..n]. that satisfies the following separation condition: If stat\ and 
stat2 are the two statements of a sequence or the two branches of a present test, then H 
cannot contain an occurrence of halt in stat\ together with an occurrence of halt in stat2- 

We decorate the behavioral semantics rules by returning a haltset H when executing a 
numbered term. This haltset will record the places where the term has halted. The rules take 

E',k, H 

the new form stat > stat 1 . We always return H = 0 when k 4 1 and H 4 0 when 

E 

k = 1. Adding haltsets is easy for all rules except the parallel one. Executed halt statements 
are put into the haltset by the rule of halt and propagated by the other rules. Since the 
transformation is fairly obvious, we just list a few rules and leave the other ones to the reader. 



0, o, 0 



nothing 



* nothing 



E 
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. 0,1, {*} 
halt 1 > halt 1 



£[,0,0 E[,k 2 ,H 2 

stat\ > stat', stati > stati, 

E E 

E[uE 2 ,k 2 ,H 2 
stat i ; stat 2 > stat' 2 



E[,k u Hi 

stat i > stat\ k\ > 0 

E 

E[,k u Hi 

stat i ; stat 2 > stat[ ; stat2 



E',k,0 

stat > stat' k = 0 or k = 2 



£',o,0 

trap T in stat end > nothing 



E',k,H 

stat > sfatf' (fc = 1 and k' = 1) or (k > 2 and A;' = k - 1) 

E',k',H 

trap T in sfaf end > trap T in stat' end 

For a parallel, we return the union of the haltsets returned by the branches unless one of 
the branches exits a trap, in which case we return an empty haltset. We make an additional 
technical modification explained later on: when one branch terminates, we rewrite it into 

nothing. 



E[,k u Hi 

stat\ > stat\ 

E 

E' 2 ,k 2 ,H 2 

stat2 > stat'j 

E 



H = 



stat 



Hi U H2 if max(ki, A^) < 1 
0 if max(ki, A^) > 1 

, _ J stat'i if ki ^ 0 

I nothing if k{ = 0 



jto^i I I stat2 > 5faf" I I stat 1 ^ 
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Since a module body is supposed to always halt, its global termination code must be 1 . Hence 
the rules always returns a well-defined haltset H for any immediate derivative. This haltset is 
easily seen to satisfy the separation condition. 

4.2 Recovering derivative from haltsets 

We now recover the derivative stat' from stat and H . We proceed in two steps. First we 
define a labeled term stat H obtained by labeling the subterms of stat by either H+ or H — ; a 
subterm is labeled H+ if and only if it contains at least one occurrence of halt whose number 
is in IT. If we care about the label of stat H itself, then we write it explicitly, as in stat H+ . The 
labels are of course redundant with H, but they make the definitions and proofs much simpler 
to write. 

Then we define a term TZ(stat H ) by structural induction on stat H . Subterms labeled by - 
and halt statements are left unchanged. 



trap and local signal declaration constructs are handled by trivial structural induction. 



U(stat H ) = stat 
K(Yialt iH ) = halt* 



7£(trap T in stat end ) = trap T in H.(stat ) end 



7£(signal S in stat end H ) = signal S in 1Z(stat H ) end 



The only non-trivial cases are: 



TZ(statf + ; statf ) 
TZ(statf~ ; statf + ) 



lZ(statf + ); stati 
TZ(statf + ) 



TZ(1 oop statf + end) 



TZ(statf + ); 
loop stat\ end 



7£(present S then statf + else statf end) 



TZ(statf + ) 
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^(present S then statf else statf + end) = U(statf + ) 



IT I 

TZ(do stat\ watching S) = 

TZ(statf + | | staff + ) = 

TZ(statf + | | staff ") = 



present S else 

do lZ(statf + ) watching S 
end 

TZ(statf + ) | | TZ(statf + ) 
TZ(statf + ) | | nothing 



TZ(statf~ | | staff + ) 



= nothing | | TZ(statf + ) 



Notice that these definitions make sense only when the separation condition is satisfied. Notice 
also why we return nothing in the semantics rules when a branch terminates: this simplifies 
the definition of TZ. 

Since they exactly reproduce the (new) behavioral rules right-hand side terms, one easily 
shows lZ(stat H ) = stat' as expected. 

We now give the main result: the coding extends from immediate derivatives to general 
ones. This is not completely obvious since the TZ operator can duplicate halts in the loop 
case. The result is as follows: 

Theorem 1 Let stat be the body of a correct program. Let H be a haltset in stat. Then for 
any behavioral rewriting of the form 

E f 1 H f 

ft(stat H ) — ^— ► stat' 

E 

the haltset H' contains only halts occuring in stat' and one has stat' - ^(stat^'). 

Proof: The proof is by structural induction on stat and by case inspection on the rule applied to the 
whole term Histat 11 ) to yield staf . All cases being similar, we treat the sequence and the loop as 
examples. We consider a given current event E. 

Let first stat = stat\ ; stati- There are three cases according to the labeling generated by H. 

• If stati is labeled by H+, then H(stat H ) = H(statf). By correctness and by the hypothesis that 

E',\,H' 

stat halts, TZ(statf ) has a unique rewriting H(statf ) > stat', where H' is a nonempty 

E 

haltset that only contains halts in stah- By induction, one has stat 1 = Histatf + ). Since H' is 
all in stah and nonempty, one has 1Z(statf + ) = IZistat 11 ) by definition of 1Z() and the result 
follows. 

• The two other cases can be grouped into one. They correspond to a term stat = Histatf); stati, 
taking H as given if stat = H(statf + ); stati and H = 0 if stat itself has label H— . By 
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correctness, stat has a unique behavior, computed by either the first or the second sequence 
rule. If the first sequence rule is used, then stat 1 is generated entirely by statt and the 
results follows as in the first case. If the second sequence rule is used, the termination 
code of H(stat^) is 1 since stat halts. By induction and by the form of the rule, one has 
staf = H(statf + ) ; stati = H(stat H ) for some nonempty H' having all its halts in stat i . The 
result follows. 



Assume now stat = loop stati end. There are two subcases. If stat is labeled by H-, 
then TZistat 11- ) = loop stat\ end. The only applicable rule is the loop rule. It asks for 
computing stat\, which must halt since stat does. By induction and by the loop rule, one has 

E 1 1 H 1 

stat ► H(statf + ); stat for some H'. The last term is just H(stat H ) as expected. If stat is 

E 

labeled by H+, then TZ(stat H+ ) = TZ(stat^ + ) ; stat. If the first term does not terminate, we proceed 
as in the first loop case. Otherwise, the loop must be unfolded once and we are back again in the first 
loop case. | 



Corollary 1 Let stat be a module body. Then any derivative stat' of stat is equal to 1Z(stat H ) 
for some haltset H, and there are only finitely many derivatives. 



Proof: By induction on the length of a rewriting sequence stat^staf, since stat itself is equal to 

IZistat 0 ) and since stat always returns k = 1 . The finiteness property is obvious since there are only 
finitely many possible haltsets. | 



5 Principle of the Hardware Implementation 

In this section, we show by examples how to translate a Pure Esterel program into a 
digital circuit that computes the reaction of the program to any input in one clock cycle. The 
translation is structural: the circuit logical geometry is the same as that of the original program. 
The translation is directly based on the haltset coding theory of Section 4, but we present it in 
such a way that it can be understood independently of this coding. 

We start with a first example involving only halt and watching statements. Then we 
show how to handle concurrency and exceptions. Finally, we indicate how to efficiently 
translate the full language. The formal translation is given in Section 6. 

5.1 A First Example 

Consider the following program: 

module M: 
input I , R; 
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output 0; 
loop 
loop 

await I; await I; emit 0 
end 
each R. 

After an initialization instant in which I is ignored, the behavior is to emit 0 every two I , 
restarting this behavior afresh each R. Expanded into kernel statements, the body becomes: 

loop 
do 
loop 
do 

halt 
watching I; 
do 

halt 
watching I; 
emit 0; 
end 
watching R 
end 

The corresponding circuit is drawn in Figure 1. It has two input pins for I and R and one 
output pin for 0. There are four kinds of cells, called Boot, Watch, Present, and Halt. 
Cell output pins are primed. 

The Boot and Halt cells each contain one register, assuming to initially contain value 
0 and to be clocked by the global circuit's clock. The other cells are purely combinatorial. 
The Present cells are used for present and watching source statements, each source 
"watching S" statement being conceptually rewritten into "watch present S"; This 
slight syntactic modification simplifies the cells and makes it easy to implement boolean 
expressions. 

The circuit contains three sorts of wires: the selection wires s0-s5, the activation wires 
a0-a5, and the control wires c0-c8. The unconnected i and c'l pins of Halt cells 
corresponds to other wires unused here and described later on. Whenever two wires go to the 
same place, they are implicitly assumed to be combined by an or gate. 

The selection and activation wires go in reverse directions and form a tree that is called the 
skeleton of the circuit. This tree is determined by the nesting of halt, watching, and | | 
statements in the source program, following the abstract syntax revealed by the source code 
indentation. The leftmost Halt and Watch cells correspond to the first await, the rightmost 
ones to the second await. 
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The selection wires are used to determine which part of the circuit can be active in a given 
state: in our example, both await statements are in mutual exclusion, and only one of them 
can be active at a time. When the first await is active, the wires s2, si, and sO are set to 1. 
When the second await is active, the wires s4, s3, and sO are set to 1. The sources of the 
selection wires are the Halt cell registers. The upper selection wire sO is unconnected here, 
but we left it there to emphasize the structural character of the translation. 

The activation and control wires bear the flow of control. The activation wires handle 
preemption between watching statements. In our example, the outermost watching 
preempts the innermost one: by the semantics of Esterel, if R is present, the outermost 
watching terminates without letting its body execute. The upper activation wire aO is 
always set. 

The cells are defined as follows: 
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n := 1 
b = —in 

s' = s 
c' — s * a 
a' — c 

c't = c * S 
c' f = c * — \S 

s' :- c + (a * s) 

The notation is that of Palasm: '+' is or, V is and, '— i' is not, an equality is valid at all 
times, and a register is denoted by ' := '. Registers are supposed to contain initially 0. In the 
sequel, we say that a wire is high or set if it has value 1 and low or reset if it has value 0. We 
say that a register is set if it gets value 1 and reset if it gets value 0. Signals are assumed to be 
present when their wire is set and absent when their wire is reset. 

The output signal b of the Boot cell is high at first clock tick and remains then low. For 
a Halt cell, the value of the output signal s' is initially low and then that of c + (a * s) 
delayed one clock cycle. Hence a register is set either if an incoming control wire is set or 
if the activation wire is set and the register was already set 3 . The definition of Halt is only 
temporary: further pins will be added in Section 5.2. 

A Sample Execution 

At boot time, the Halt cell registers contain 0 and the selection wires are all low; the boot 
control wire b is high. Because of the cell equations, all other wires are low. Hence the only 
effect is to set the leftmost Halt register. 

On next clock tick, assume that I is present and R is absent. Then s2, si, and sO are 
set by the Halt register. Since aO is always set, the control flows down by setting cO that 
triggers the test for R in the upper Present cell. Since R is low, the control flows through 
the c' f pin and sets c2, which is connected to the c input pin of the Watch cell. This pin is 
directly connected to the a' output pin, and the control flows though a 1 and a 4 (which are 
connected with each other and form in fact a single equipotential). Since both s2 and al 
are high, the leftmost Watch cell sets c3 and the leftmost Present cell sets c4 since I is 
present. This sets the rightmost Halt register. Since s4 is low, the rightmost Watch cell is 
inactive. Having no incoming control set, the leftmost Halt register is reset. This terminates 
the first "await I" statement. 

On next clock tick, if I is present, the execution is symmetrical: the rightmost Halt is 

3 The multiplication by s is there to prevent setting the second Halt register in a term such as 

"do halt ; halt watching S" when a is set. 



Boot 



Watch < 



Present 



Halt 
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reset and the leftmost one is set. The wires set are s3, s4, aO, cO, c2, al = a4, c6, and c7. 
Since c7 is also connected to the output 0, this output is set. If instead R is present, the wires 
set are s3, s4, aO, cO, cl, and one is back to the state just after boot. If neither I nor R are 
present, then the wires set are s3, s4, aO, cO, c2, al = a4, c6, c8, and a3, and the state is 
simply restored as expected. 

Relation with the Haltset Coding 

Intuitively, the relation between our circuit and the haltset coding of derivatives is as follows: 

• A state of the circuit is a set of Halt cells set to 1. It is therefore exactly a haltset. 

• The selection wires just compute the + and - labels of statements, + being represented 
by a 1 in the selection wire. 

• Sending the control to the translation of a subterm stat\ by setting an incoming control 
wire amounts to execute stat\. For example, setting b executes the whole statement, 
setting b or cl execute the first await I, and setting c4 executes the second await I. 

• Sending the control to the translation of a subterm stat\ by setting its incoming activation 
wire amounts to execute TZ(stat^) if stat\ is labeled by + in H, i.e. if the corresponding 
selection wire is set. 

Hence, in a haltset H and an input /, the circuit just mimics the behavioral proof of lZ(stat H ) 
in /. This points will be made very precise in Section 7. 

Notice that the Boot cell is not really necessary since the initial state can also be recognized 
as the only state where all Halt cells have value 0, that is where the wire sO is low. We could 
as well connect the b wire to the negation of s 0 . However, it is convenient in practice to add 
the auxiliary Boot cell to reduce the length of wires and the number of logical levels. 

5.2 Translating Parallel and Exceptions 

The most complex operator is of course the parallel one, since it must synchronize the 
termination of its branches and propagate exceptions. Consider the following program 
fragment: 

trap T in 
await SI 
I I 

present S2 then exit T end 
end 

The corresponding circuit fragment is shown in Figure 2. The leftmost Watch-Present- 
Halt cell group is generated by "await SI". The rightmost Present cell is generated by 
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sO aO cO 



iO c8 c9 clO 



sac j c'o C 'i C '2 
Parallel 

s a' c' '" C O d c2 




Figure 2: second example 



"present S2", (where "else nothing" was omitted as usual). The branches are simply 
put in parallel and synchronized by the Parallel cell. The circuit fragment starts when it 
receives control by setting the c 0 wire. 

The Parallel cell has two parts: the fork part, which involves the six leftmost pins, and 
the synchronization part, which involves the eight rightmost ones. 

The fork part is simple: selection wires are gathered by an or gate and activation and 
control are dispatched to branches. 

The synchronization part is more subtle. The pins cO, cl, and c2 record the different 
termination modes according to their codes defined in section: cO means termination, cl means 
halt, and c2 means exiting T. With each termination pin ci is associated a continuation pin c'i. 
(In fact, c'i is not really a continuation in a usual sense: it is recursively linked to the cl entry 
of the enclosing Parallel cell when such a cell exists.) 
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As explained in Section 3, the synchronization realized by the parallel amounts to compute 
the max of the termination codes of its branches and to only activate the corresponding 
continuation. It therefore uses a priority queue. 

In our example, the left branch can halt, as signaled by setting wire c5, or terminate, as 
signaled by setting wire c3. The rightmost branch can terminate or exit T as respectively 
signaled by setting wires c 7 and c 6 . Since exiting T or terminating the parallel lead to the 
same continuation, the continuations wires c 8 and c 1 0 will reach the same input pin in any 
global circuit in which our fragment is placed. 

When the right branch exits T, the leftmost branch must be killed; technically, its halt 
statements must be removed from the current haltset. This is the role of the inhibition wire 
il that sends an inhibition signal to the halt register. In an actual execution context, the 
inhibition signal can also come from an enclosing parallel statement itself killed by some trap 
exit. It is then received on pin i by the wire i 0 . 

The final equations of the Parallel and Halt cells are: 



Parallel 



a — a 
c' = c 
c'l = cl 
pi = c'l 
c'l - cl * — ipl 
pO = cl + pi 
c'O = cO * -ipO 
i' = i + pl 



J c'l = c + (a* s) 
Halt \ . . 

I s :- (c + (a * s)) * —it 



where pO and pi are local wires used to compute the parallel continuation and inhibition 
values: if ci is the selected continuation, ci is set and all continuations cj are reset for j < i, 
and i' is set if p2 is. 

A Sample Execution 

Assume the circuit receives control by c 0 and therefore sets c 1 . 



• Assume S2 is present. Then c5 is set by the Halt cell and c6 is set by the right 
Present cell. The parallel cell selects the appropriate continuation clO and inhibits 
the halt register by setting i 1 . 
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• Assume instead S2 is absent. Then c5 is set by the Halt cell and c7 is set by the 
right Present cell. The selected continuation is c9; it signals halting to an eventual 
enclosing parallel statement. Since the inhibition wire il is low, the Halt cell register 
is set. The circuit then remains in the same state in further clock cycles as long as the 
activation wire aO remains high and SI remains low: the wires set are s2, si, sO, al, 
c2, c4, a2, c5, and c9. If aO remains high and SI is reset, the wires set are s2, si, 
sO, al, c2, c3, and c 8 . The whole construct terminates and the register is reset since 
c 1 and a 2 are low. The incoming activation wire a 0 can also become low before S 1 
occurs, for example because an enclosing watchdog elapses. Then the Halt register is 
also reset. 

General Parallel Cells 

In fact, the size of the priority queue in a parallel cell depends on the number of nested 
traps exited from within its source parallel statement. The number of pins ci, c'i for i > 2 
corresponds to the number of enclosing traps. With no trap, there is no such pin. The example 
explained one level of trap. With two levels of traps, as in 

trap U in 
trap T in 
... | | ... 

end 
end 

there would be a pin c2 for T and a pin c3 for U, and so on. 
5.3 Summary of the Translation 

The translation is done by connecting together cells corresponding to source statements. 
The cells are the same for all programs, but the parallel cells have a variable continuation arity 
according to the number of enclosing traps. 

The logical skeleton of the translation is given by the tree of Halt, Watch, and Parallel 
cells which mimics the tree of source halt, watching, and | | statements. Each edge of 
the tree is composed of an upward selection wire and a downward activation wire. Two sets 
of wires reinforce the skeleton: control wires that signal halting and go upwards from Halt 
and Parallel cells to Parallel cells, and opposite inhibition wires that force resetting 
the Halt registers in case of exceptions. 

In addition to the above cells, one finds a Boot cell used to boot the circuit, and Present 
cells generated by source present and watching statements. These cells are linked 
together and to skeleton cells by control wires. Each Present cell also receives as input a 
signal wire. Signal wires come either from input signal pins or from local signal cells, which 
are simply or gates. Control wires transfer the control from cell to cell. They also emit signals 
by being connected to output signal pins or to local signal or gates. The wiring of control 
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wires is determined by a continuation analysis, see Section 6. 

5.4 Optimization 

The reader may find that our circuits contain lots of wires and of logical levels, even for 
simple programs. In fact, this is because they are obtained by a strucural translation process and 
there is much room for automatic optimization. Many wires are simply connected with each 
other. Many generated logical functions are readily grouped by logic optimizers. Constant 
folding can also be used: for instance, the top activation wire is always set; using this fact, one 
can statically simplify many gates. 

Therefore, our circuits should not be directly implemented; they should instead be given 
as input to logic optimizers. We presently use optimizers based on Binary Decision Dags (or 
BDD's), see [11, 15, 24]. They drastically reduces the actual size of circuits. They can also 
discover redundancies between registers and suppress some of them [7]. 

Altogether, we believe that we can obtain final circuits that are as good as carefully hand- 
designed ones. Because of the power and efficiency of BDD-based optimization techniques, 
we think there is no need to search for a more sophisticated translation process. 

5.5 The Translation is Sometimes Incorrect 

Our translation does not translate correctly all programs. There are difficulties with local 
signals and with loops over parallel statements. 

First, we have allocated a single wire for a local signal. But even within a single reaction, 
an Esterel signal can have several independent avatars. Consider a statement of the form 

loop 

signal S in stat end 
end 

When the body terminates, it is restarted at the same instant with afresh signal S. This is made 
obvious by unfolding the body to get 

loop 

signal S ±n stat end; 
signal S ±n stat end 
end 

which is semantically equal and where there are clearly two distinct signals. 

In our circuits, a signal wire has only one state at a time: we cannot implement general local 
signals. We must require all local signals to be declared at toplevel in the module body. This 
is not a too big restriction in practice. 
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The second incorrectness is more subtle. The translation of the statement 

loop 

await S 
end 

is correct, but the translation of the equivalent statement 

loop 

await S 
I I 

nothing 
end 

is not since it involves an unstable combinatorial loop through the parallel synchronizer: when 

5 occurs, the parallel terminates and the loop makes it halt at the same time on await S. 
But halting justs inhibits the termination that should provoke it, hence the combinatorial loop. 
Unfolding the body would solve the problem; it still builds a combinatorial loop, but this time 
a safe one. 

The Esterel software checks for sufficient conditions for translation correctness. We are 
presently investigating a more powerful translation that will correctly translate all Esterel 
programs. It will be reported in another paper. 

6 The Formal Translation to Hardware 

We define the translation formally and prove its correctness in absence of bad loops over 
parallels. As explained in Section 5, we assume all local signal declarations to be at toplevel 
in the module body. 

6.1 Circuits 

We consider a circuit to be given by a set of input wires, a set of output wires, a set of local 
wires and a set of wire definitions that define output and local wires. There are two kinds of 
wire definitions: 

• An implication definition w <^= exp expresses a partial definition, read as "connect exp 
to w". There can be several implications per wire. 

• A register definition w :- exp defines a wire to be initially 0 and then the value of exp 
at previous clock cycle. There can be only one register definition per wire. 

Given a circuit C and a wire w, the set of implications w •<= expi in C defines w as 
w = Vi expi. Hence the right-hand-sides of implications are connected to an or gate. If 
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a wire w has no definition, it is considered to have an empty set of implication definitions, 
and therefore to be defined by w = 0. To stress the fact that a wire has a single implication 
definition in a circuit, we can write this definition using '=' instead of ' <= ' . 

Given any register state and any input, the semantics of a circuit is classically defined as a 
unique fixpoint of the equations, and a circuit is correct if a unique fixpoint always exists in 
any (reachable) state. We assume this to be well-known. 

6.2 The Translation Environment 

The formal translation is done by natural semantics inference rules [21]. The sequents have 
the form p h stat — > C, where p is a wire environment, stat is an Esterel statement, and C 
is the resulting circuit. 

As in natural semantics or in PROLOG, allocation of new wires is implicit and done when 
encountering free variables. To make things clear, we shall comment each rule and explicitly 
tell which are the newly allocated wires. 

The environment p is made of several wires, whose functions have been explained in 
Section 5. It contains the following fields 

• An incoming control wire c. 

• A selection wire s. 

• An activation wire a. 

• An inhibition wire i. 

• A vector of continuation wires c. The wire c 0 corresponds to termination, the wire c 1 
corresponds to halting, the wire c k+1 corresponds to exit k + 2, that is to exiting k trap 
levels. 

• A set of signal wires S, one for each input, output, or local signal S. For simplicity, 
we assume that all local signals have distinct names; then all local signal wires can be 
preallocated. 

We use the classical dot notation to get environment components: for instance, p.c denotes 
the control wire of p. Given an environment p, we shall often need to consider another 
environment p' that differs from p by the value of one field, say by changing p.c into c'. We 
then write p' = p[c <— c']. The notation extends naturally when changing several fields. 

To translate a module, we allocate a boot control wire b and a register n of equations 
b = —in, n := 1 as in Section 5, a dumy selection wire s, two dummy wires cO and cl for 
the (unused) continuations, a dummy inhibition wire i, and one wire S per signal, declaring 
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respectively input and output signals as inputs and outputs to the circuit. We translate the 
module body in the environment 

po = (b, s, 1, i,(cO, cl), S) 



6.3 The Translation Rules 

The cells of Section 5 were useful for an intuitive explanation, but in rules it is simpler to 
produce directly equations. 

For a nothing statement, we connect the incoming control to the termination continuation 
wire. 



p h nothing — > p.c •<= p.c 



For a halt statement, we connect the incoming control to the halt continuation wire, to 
signal halting to an enclosing parallel statement. We allocate a new selection wire s' defined 
as a register with input as explained in Section 5. We connect it to the environment selection 
wire p.s. 



p.c + (p. a * p.s) 



p.c' 

p h halt — > p.s •<= s' 

s' :- (p.c + (p. a* p.s)) * —ip.i 



For an emit statement, we connect the incoming control to the termination wire and to the 
signal wire. 



p h emit S 



p.c 0 
p.S < 



= p.c 
p.c 



For a sequence, we allocate a new wire c' for control transmission. We translate the first 
statement with c' as termination and the second statement with c' as incoming control. 



p[c 0 <- c'] h stat i — > Ci 
p[c <— c'] h stat2 — > C*2 



p h staty ; stat2 — > „ 

For a loop, we allocate a new wire c' to handle looping and we connect the incoming control 
to it. We translate the body with c' both as incoming control and as outgoing continuation. 
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p[c <- c',c° <- c'] h stof — > C 



h loop stat end 



c' 
C 



p.c 



For a present statement, we allocate two new control wires C[ and c 2 , then c\ is set when 
the incoming control is present and the signal is present, while c 2 is set when the incoming 
control is present and the signal is absent. We translate the branches with ci and c 2 as 
respective incoming controls. 



p[c 
p[c 



c\] h stat 1 
c 2 ] h stat2 



Ci 

c 2 



p h present S then stat\ else stat 2 end 



c\ — p.c * p.S 
C 2 = p.c * —ip.S 
Ci 

c 2 



For a watching statement, we allocate a new selection wire s' and connect it to p.s, and we 
allocate a new activation wire a'. The outgoing activation wire a' is set if if s' and p.a are set 
and the signal is absent. The outgoing termination wire p.c 0 is set if s' and p.a are set and the 
signal is present. 



p[s <— s' , a <— a'] h stat 



C 



p h do stat watching S 



p.s <= s 

a' = p.a * p.s * —ip.S 



p.c 
C 



^0 



p.a * p.s * p.S 



The parallel rule is of course the most complex one. It follows exactly the intuitive explanation 
given in Section 5. We allocate a selection wire s' connected to p.s, an inhibition wire i', a 
continuation vector c' of the same length k as p.c, and a priority vector p of length k — 1. We 
recursively translate the body with the new selection, inhibition, and continuation wires. Then 
we establish the priority queue to compute the outgoing continuations and the new inhibition 
wire i'. 
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k = \p.c\ 

p[s <— s', i <— i', c <— c'] h stat i — > C\ 

— * 

p[s <— s',i <— z',c <— c'] h Sta^ — ► C*2 





p.s < 






^ 

p.c 


1 ^_ I/fc-l 
s= c 




^fk-2 
p 


J fc-i 




p.c 


2 -d= P fc " 2 * -in fc " 2 




pk-3 


= C> fc "2 + p fc "2 


h Jto^i | | stat2 — > 


p° = 


<? 1 +P 1 




P-C° 


^ <? 0 * -np 0 




i' = < 


| p.i if A; < 3 
[ p.i + p 1 if jfe > 3 










c 2 





For a trap, we shift by 1 all wires in p.c after position 2 and we insert the termination 
continuation p.c 0 at exit position 2. The vector notations are obvious. 

p[c ^ (p.c 0 , p.c 1 , p.c 0 ) • p.c 2 -] h staf — > C 



p h trap T in stat end — > C 
For an exit, we connect the incoming control to the appropriate continuation. 

p h exit T fc — > p.c k <S= /?.c 

For a local signal declaration, we simply translate the body since the signals have been 
pre-allocated. 

p h stat — > C 



p h signal S in stat end — > C 

7 Correctness of the translation 

We first explain roughly the proof idea as if the translation was always correct. Consider 
the body stat of a correct module placed in the initial environment where the local signal wires 
have been cut. Then there are two separate wires for each local signal, one for input and one 
for output. Consider a signal environment E and a haltset H . There exists a unique behavior 
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E',1,H' E',1,H" 

stat i > stat\ with stat\ = TZ(stat^ ), and a unique behavior TZ(stat^) > stat'! 

E E 

with stat'l = lZ(statf ); uniqueness is obvious since there are no local signal declarations in 
stat\. 

The circuit fragment C (stat\ ) obtained by translating stat\ has two incoming control wires c 
and a. Then setting c realizes the first behavior, while setting the activation wire a realizes the 
second behavior. Furthermore, because of loops, c and a can be both set. Then the circuit sums 
up both behaviors with no interference between them. The proof goes simply by structural 
induction. 

Once this is shown, close the local signal wires. Then, for the module body stat, for any 
state H and real input event /, there exists a unique local event L and a unique output event O 
such that 

„ 0,1, H' , 

TZ(stat u ) > TZ(stat u ) 

7uLuOu{tick} 

But closing the local signal wires in the circuit has exactly the same coherence effect as in the 
semantics: a signal is there if and only if it is emitted. Since the circuit can do nothing but 
mimic the behavioral semantics and since there is only one fixpoint in the semantics by the 
correctness hypothesis, there is only one fixpoint in the circuit and it is the required one 4 . 

Therefore, one can view the circuit as a. folding of all possible behavioral semantics proof 
trees of a program and of its residuals in all possible environments. What the electrons do is 
to select the right prooftree in one clock cycle given a residual and an input. 

The only problem with the above proof argument is that sending control to a parallel by 
both c and a does not sum up the behaviors: one of the continuations can be discarded by the 
other one. Here, we shall simply prove that the circuit works fine under the assumption that 
the problem can never appear dynamically 5 . This leads to the following condition: 

Condition 1 (NSP) A correct program is said to be NSP (Non Schizophrenic for Parallels) if 
for any haltset H and for any event E, no parallel subterm stat - stati | | stat2 that contains 
a halt in H is evaluated in the behavioral semantics proof of the reaction of the module body 
under E both under the form stat and under the form 7£(stat H+ ). 

This is certainly a strange and non-structural condition, but its main advantage is to be 
amazingly trivial to check in the Esterel software compiling process. We have put an 
appropriate specific option in the Esterel compiler to report its failure. 

Theorem 2 For any correct NSP Esterel module M, the circuit C(M) has exactly the 
same input-output behavior as M. 

4 We talk here of abstract circuits, or equivalently we assume that concrete circuits do always find the unique 
fixpoint when it exists. 

5 The right solution would be to use two synchronizers, one for c and one for a, and to duplicate some of the logic 
of the body to signal termination to the appropriate synchronizer; in fact, one must use more than two synchronizer 
in the general case to properly handle parallel statement nesting; this will be the subject of a forthcoming paper. 
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Proof: The proof goes just as sketched, but we must inductively ensure that no parallel receives c 
and a together. 

We first study the circuit reactions when the local signal wires are opened. We consider a given 

e' 1 h' 

haltset H and a given input event E. Let P be the proof of Histat 11 ) ► H(stat H ). 

E 

Given a subterm stat\ of s tat, define the type of stat\ in P as follows: stat\ is of type null if it does 
not appear in P, of type c if it appears in P only under the form stat\ , of type a if it appears in P only 
in the form TZ(stat H+ ), and of type ca if it appears in both forms. 

For the circuit C{stat\) generated by statu we say that we send the control null if we set neither c nor 
a, the control c if we set c and not a, the control a if we set a and not c while s is set, and the control 
ca if we set both c and a while s is set. 

We show the following properties on any subterm stat\ by structural induction: 

(a) If stat i receives the control as indicated by its type in P, then it will itself send the control to 
all its sub terms as indicated by their type in P. 

(b) Under control null, C{stat\) sets no continuation, no signal, and no halt. 

E' c ,k c ,H c 

(c) If stat\ is of type c and stat\ ► stat 1 ,, then, under control c, C{stat\) emits E' c , sets the 

E 

sole continuation c kc , and sets exactly the halts in H c iff its incoming inhibition wire i has 
value 0. 

(d) If stat\ is of type a and H(statf + ) ► staf l7 then, under control a, C{stat\) emits E' a , 

E 

sets the sole continuation c ka - , and sets exactly the halts in H c iff its incoming inhibition wire i 
has value 0. 

(e) If stat] is of type ca, then, under control ca, C{stat\) realizes the union of the behaviors of case 
(c) and (d). 

First notice some general facts. The s wire is set for stat\ iff staff + . Hence only statements that 
contain halts in H will receive both a and s. By construction, any circuit C{stat\) does nothing under 
control null and sets no halt when its incoming inhibition wire i is set; otherwise, its sets its halts 
normally. Also, since all statements merge their emitted signals by or gates, the signal behavior will 
always be the expected one. 

The statements nothing, emit S, and exit T are always of type null or c and they exhibit the 
(c) behavior under c. A halt can be of any type, but it always sets c 1 and its register if i = 0 as 
required under control c, a, or ca. 

Consider a sequence stat] ; stati of type c. Then stat\ is itself of type c, and the induction tells 
that C{stat\) behaves just as stat\ under c. If stat\ terminates, then stati is of type c since the first 
sequence rule must be applied in the proof (it cannot be of type ca, otherwise the sequence itself 
would be of that type). But C{stat\) sets c 0 that starts stati under control c by the sequence wiring. 
The induction shows (c). If stat \ does not terminate, then stati is of type null and C{stat2) receives 
no control and does nothing; hence the sequence behaves just as statu which shows (c). Condition 
(a) also follows from this case analysis. 

The proof of (d) and (a) is similar for a sequence of type a, analyzing separately the cases staff + and 
statf-*-. 

Consider finally a sequence of type ca. First assume statf + . Then stat\ itself is of type ca, and the 
induction applies to it. Furthermore, stati is started under c iff stat\ terminates under c, a, or both. 
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But giving twice the control to stah is just the same as giving it once, since incoming control wires 
are gathered by an or gate, and (e) follows. Next assume stat^ + . Then stat\ is of type c, while stah 
is of type a if stat\ does not terminate, making (e) obvious, and of type ca if stat\ terminates; in the 
latter case, (e) is established by induction on stah. The case analysis is finished for the sequence, 
and it also shows (a) in all cases. 

The other operators are handled in the same way. For a parallel, one is never in case (d) by the NSP 
hypothesis, and one remembers that the i wire is set in case of exit to kill the haltsets of the subterms. 

Finally, as explained before, the circuit is forced to compute the same fixpoint as the behavioral 
semantics when closing the local signal wires. To finish the proof, just notice that the module body 
stat receives c at the first instant from the boot wire and a at the next instants from the selection wire 
that is plugged back as the activation wire. | 

8 Implementation 

8.1 Actual Implementation on PerleO 

We have experimented our hardware implementation on the PerleO board developed at 
DEC PRL [8]. It consists of a set of 25 synchronous Xilinx programmable logic cell arrays 
placed on a board and piloted by a SUN™ workstation. 

The translation is performed by the strldg processor (EsTEREL-to-digital), which is 
integrated in the standard Esterel compiler 6 . The generated logical circuit is printed out 
in PerleO format and translated into Xilinx native format by the PerleO software (we 
could as well produce portable formats such as Palasm). The logical circuit is then given 
to optimizers and the optimized result is fed into an automatic placer-router, without any 
pre-placing indication. This gives a Xilinx circuit specification. Using this environment, 
the turnover is on the order of 15 minutes from source program to running circuit for a 
medium-size program. 

On PerleO, we provide a symbolic debugging and exact speed measure environment, with 
interactive symbolic input and output from within Lisp or C. The speed measure reports at 
which maximal clock speed a circuit correctly handles a benchmark. In practice, the speed is 
30 to 75 nanoseconds for a small program (30 ns for the circuit presented in the appendix), and 
75 to 100 nanoseconds for a medium size program that still fits into a single chip (about 2-4 
pages of source Esterel code), this on a 3020 Xilinx chip. 

In debug or speed-measure mode, the Esterel program is implemented on a single chip 
and other chips are devoted to bus and debug interfaces. The applications we have handled 
so far are man-machine interfaces, real-size local area network controllers [22], and various 
circuit controllers including those used in the PerleO board itself to communicate with the 
bus and with the tested program. 



6 In fact, most of the skeleton and continuation analysis is already done by the standard compiler first pass. 
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8.2 Simulation and Correctness Proofs 

Esterel and Lustre are themselves able to describe digital hardware. The strldg 
processor is also able to unparse the circuit in Esterel or Lustre. There are two main uses: 

• After compiling the Esterel version of the circuit, we can use the full Esterel 
programming environment to perform simulations, analysis, and optimizations. 

• Once the circuit behavior automaton is generated by Esterel compiler, we can use 
the Auto verification system [9] to automatically check for equivalence between the 
source code and the circuit automata. This may seem unnecessary since the translation 
has been mathematically proved correct, but software is software and double-checks 
are always useful. Furthermore, the translation can work properly even if the sufficient 
correctness conditions are not met. If Auto reports equivalence, the circuit is perfectly 
usable even if it works by chance! 

Of course, using the Esterel standard compiler for such a circuit unparsing analysis makes 
sense only if the circuit has a reasonable number of states, say 50 to 500, which is usually the 
case for controllers. 

9 Conclusion 

Although Esterel was not at all designed as a harware description language, the work 
presented here shows it well-suited to very high-level verified hardware generation. The 
hardware implementation is directly based of the formal semantics. The electrons circulating 
in the wires perform the computation of the proof tree associated with a program and an 
input within a single clock cycle. The circuit itself can be viewed as a folding of all possible 
semantical proof trees into a graph structure. 

The translation we have presented is not general since programs are assumed to obey a 
sufficient NSP condition; we are now in the process of releasing a full correct translation of 
Esterel into circuits, based on extensions of the same ideas. 

We investigate three main kinds of applications: implementing existing Esterel programs 
on hardware to improve their performance, using Esterel to directly program hardware 
controllers, and using Esterel to build reference controllers to which actual hand-tailored 
controllers can be automatically proved equivalent. Our present experiments are very 
promising and leave place for sophisticated optimization. 

To our knowledge, the closest related works are the hardware implementation of Lustre 
and Sml [13]. The Lustre and Esterel implementations are developed in parallel and are 
fully compatible. Compared to Sml, Esterel is much more elaborate as a programming 
language, having in particular watchdogs, exceptions, and instantaneous broadcast. Our 
implementation is direct and does not use a translation to automata, although such a translation 
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is also available. Lustre, Sml, and Esterel all give access to temporal logic or process 
calculi based verifiers. We need more experience to compare the relative qualities of the 
languages and of their verification tools. 
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Appendix — A Simple Bus Interface Example 

As a toy application example, we program an interface module between a bus and a hardware 
application. This interface is a slight simplification of the one effectively used in the PerleO 
board to run actual Esterel programs hardware translations. Although the program is very 
small, we use submodules to illustrate modular programming. 

The Interface informal Specification 

The interface repeatedly waits for input from the bus, tells the application to store the 
corresponding data word, triggers a computation, and tells the application to send back the 
output data word to the bus when the computation is terminated and the bus is ready for output. 

The interface receives two signals from the bus, BUS_WRITE for input and BUS-READ for 
output. It acknowledges both input and output by sending back BUS_ACK. 

Data words are received or emitted directly by the application. To control data input, the 
interface tells the application to connect its input buffers to the data bus by setting a signal 
OPEN.INPUT. This signal is maintained until the arrival of BUS-WRITE included. After one 
clock cycle, the interface sends BUS_ACK and starts the computation by sending a signal GO 
to the application. When the computation is terminated, the application sends back a signal 
F INI SHED. The output data is then ready in the application output buffers. The interface tells 
the application to connect its output buffers to the bus by sending a signal OPEN_OUTPUT. 
This can be done only when the computation is finished and when the bus has sent BUS_READ. 
After waiting a clock cycle for the data to be effectively present on the bus, the interface sends 
BUS_ACK. 

In addition, we assume that the bus can send at any time a RESET signal telling the interface 
to reset itself to its initial state. 
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The Interface Esterel Program 



The interface module is written as follows: 



module Interface : 

input BUS_READ, BUS_WRITE, RESET; 
output BUS_ACK; 

output OPEN_INPUT, OPEN_OUTPUT, GO; 
input FINISHED; 



Q, 
O 



Q, 
O 



from bus 
to bus 

to application 
from application 



loop 

loop 

run Input; 

run ComputeAndOutput 

end 
each RESET. 

Notice that the RESET signal is completely factored out and effectively resets the interface 
independently of its current internal state. 

The Input submodule is written as follows: 

module Input : 

input BUS_WRITE; % from bus 
output BUS_ACK; % to bus 

output OPEN_INPUT; % to application 
trap INPUT in 

sustain OPEN_INPUT 

I I 

await BUS_WRITE do exit INPUT end 
end; 

await tick; 
emit BUS_ACK. 

Here we use a trap construct to ensure that OPEN_INPUT is emitted when BUS-WRITE is 
received. One could write as well: 



sustain OPEN_INPUT 
watching BUS_WRITE; 
emit OPEN_INPUT; 

By the semantics of the watching construct, the statement "sustain OPEN_INPUT" is 
not executed when BUS_WRITE occurs. This is why OPEN_INPUT must be explicitly emitted 
at that instant. 
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The ComputeAndOutput module is written as follows: 



module ComputeAndOutput 



input BUS_READ; 
output BUS_ACK; 



Q, 
O 



Q, 
O 



from bus 
to bus 

to application 
from application 



output GO, OPEN_OUTPUT; 
input FINISHED; 



O, 

o 



await BUS_READ 



emit GO; 

await FINISHED; 



] ; 



emit OPEN_OUTPUT; 
await tick; 
emit BUS_ACK. 

Notice how the parallel statement realizes the synchronization: it terminates exactly when the 
computation is finished and the bus ready to read. 

Once optimized, placed, and routed, the circuit uses up 9 cells on on a Xilinx 3020 circuit. 
There are 5 registers and 1 1 logical functions with a total of 35 inputs. 

The Advantages of Esterel 

The automaton generated by the Esterel compiler is pictured in Figure 3. Notice the 
diamond generated by the parallel statement that appears in ComputeAndOutput. Notice 
also the reset arrows that go from any state into state 1: they are all generated by the 
single "loop ... each RESET" statement. Of course, such a small automaton can be 
easily designed by hand. The advantage of Esterel programming really appears for more 
complex controllers. The modularity of the language, its built-in concurrency, and the power 
of its control structures allows the user to build controllers by assembling individually simple 
modules into bigger ones. For example, to perform speed benchmarks on PerleO, we use a 
variant of the bus interface that inputs two data words and performs computation and output 
twice in a row. To obtain this interface, one just changes the Interface module body into 
(roughly): 

run Input [signal OPEN_INPUT_l / OPEN_INPUT] ; 
run Input [signal OPEN_INPUT_2 / OPEN_INPUT] ; 
run ComputeAndOutput [signal OPEN_OUTPUT_l / OPEN_OUTPUT, 

GO_l / GO] ; 

run ComputeAndOutput [signal OPEN_OUTPUT_2 / OPEN_OUTPUT, 

GO_2 / GO] 

Usually, a relatively simple change to a specification involves a simple and local change to 
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RESET? 
.OPENJNPUT! 




Figure 3: The Interface Automaton 

an Esterel program. This is definitely not true of finite automata, which are highly unstable 
with respect to specification changes. We strongly believe that programming controllers in 
Esterel is one order of magnitude simpler that designing finite state machines by hand. 
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